Privacy and personal data

Privacy and personal data ESTELAR Yopal Hotel

Privacy and personal data Hotel in Colombia

For HOTELES ESTELAR S.A. it is very important to preserve and protect the integrity and confidentiality of the personal data of all its clients. With this in mind, we designed a set of policies for the storage and treatment of the information provided by our clients through the various commercialization channels of our products and services, such as websites, call centers, etc., and we are committed to protect and properly manage the same pursuant to the legal dispositions regarding personal data protection applicable in each territory where we operate.

CHAPTER I

GENERAL DISPOSITIONS

ARTICLE 1. DEFINITIONS. For the purpose of the applicability of the regulations appertaining to these policies and pursuant to the dispositions of Article 3rd of Act 1581 of 2012, the following terms should be interpreted as described below:

b) Privacy Statement: Verbal or written communication issued by the Responsible Party addressed to the information Holder regarding the treatment of his/her personal data, by means of which the Holder is duly informed about the existence of the information treatment policies applicable, the way to access said information and the purpose intended for said personal data.

c) Databases: Organized set of personal data purpose of this Treatment.

d) Personal Data: Any information related to or that can be related to one or more identified or identifiable individuals.

e) Private Data: This relates to said information that due to it being reserved or private, it may only be relevant for the information Holder.

f) Sensitive Data: It is understood as sensitive data those details that have direct effect on the information Holder’s privacy or which improper use may cause its discrimination, like the information that reveals the ethnic group or race, the political orientation, the religious or philosophical conviction, the belonging to work associations, social organizations, human rights groups or those groups that promote interests in any political party, or groups guaranteeing the rights and warranties of opposing political parties, as well as the data regarding health, sexual life and biometric data.

g) Entity Responsible for Information Treatment: Natural or legal person that on its own account or in association with others, performs the treatment of personal data on account of the entity Responsible for the Treatment.

h) Entity Responsible for the Treatment: Natural or legal person, public or private, that on its own account or in association with others, decides on the database and/or data Treatment.

j) Treatment: Any operation or set of operations with personal data, such as recollection, storage, use, circulation or removal of the same.

ARTICLE 2. OBJECT. This document has the purpose of regulating the procedures involving the duties performed by HOTELES ESTELAR S.A. regarding the recollection, management and treatment of personal data, in order to guarantee and protect the fundamental right of habeas data of its guests, visitors, clients, users and suppliers within the framework established by the law.

All the above, in compliance with the dispositions of paragraph (k) of Article 17 of Act 1581 of 2012, which regulates the duties given to those entities responsible for personal data treatment, among which there is the responsibility of generating an internal policies and procedures manual to guarantee the proper compliance of the legislation, and particularly to properly respond any queries and claims.

ARTICLE 3. APPLICATION SCOPE. This manual is applicable to the personal data recorded and to be recorded in the different databases managed by HOTELES ESTELAR S.A., which includes the databases of our guests, visitors, clients and suppliers, as they may provide their information for commercial purposes.

The information collected by HOTELES ESTELAR S.A., may include, in whole or in part, pursuant to the needs of each product and/or service, the following data, among other:

Name(s) and family name(s)Type and number of identification document.Nationality and country of residence.Date of birth and gender.Marital status and/or relationship to any minors or handicapped persons requesting our services.Contact telephone and mobile phone numbers (personal and/or work related).Postal address(es) and electronic mail account(s) (personal and/or work related).Occupation.Company where the individual works and position.Place of origin and destination.Purpose of travel.Information on credit card(s) (number, issuing Bank, date of expiration).Personal data of credit card holder (full name(s) and family name(s), type and number of identification).Information on the address where the credit card holder receives his/her account statements.These data may be stored and/or processed in servers located in computing centers, either of its property or hired through third party suppliers, which activities are duly authorized by our guests, visitors, users and suppliers upon accepting this Privacy Policy.

ARTICLE 4. INFORMATION ACCURACY. Our guests, visitors, clients, users and suppliers shall provide accurate information on their personal data for the purpose of enabling a proper service provision by HOTELES ESTELAR S.A. and under which condition, they agree to provide the information required.

HOTELES ESTELAR S.A. presumes the accuracy of the information provided and it does not verify it. HOTELES ESTELAR S.A. does not assume the responsibility of verifying the identity of guests, visitors, clients, users and suppliers, nor the accuracy, validity term, sufficiency and authenticity of the data each individual provides. As a consequence, it does not undertake any responsibility for damages and/or prejudice of any nature that may result in the lack of accuracy, validity, sufficiency or authenticity of the information, including damages and prejudice that may result from homonymous names or identity theft.

ARTICLE 5. APPLICABLE LEGISLATION. This manual was generated in compliance with the dispositions of Act 1581 of 2012 “Which enacts the general provisions to protect personal data” and with Decree number 1377 of 2013 “Which partially regulates Act 1581 of 2012.”

ARTICLE 6. INFORMATION ON CHILDREN AND UNDERAGE YOUNG ADULTS.HOTELES ESTELAR S.A. shall ensure the proper use of personal data on children and underage young adults thus guaranteeing that while treating their data, their fundamental rights are fully respected, and if possible, in considering their own opinion as actual owners of their personal data.

ARTICLE 7. OBJECTIVES OF PERSONAL DATA TREATMENTThe information collected is used to process, confirm, fulfill and provide the services and/or products acquired directly and/or with the participation of third party suppliers of products or services, as well as to promote and publish our activities, products and services, perform transactions, produce reports for the various national or international administrative control and surveillance authorities, for police authorities or legal authorities, banking institutions and/or insurance companies, for internal and/or commercial purposes, such as market research tasks, auditing, accounting reports, statistical analysis, invoicing, and for offering and/or acknowledging the company’s benefits of our loyalty programs.

Upon accepting this Information Privacy and Treatment Policy, our guests, visitors, clients, users and suppliers, in their capacity as holders of the data collected, hereby authorize HOTELES ESTELAR S.A. to treat the same, in whole or in part, including the recollection, storage, recording, use, circulation, processing, removal, for the execution of all activities related to the services and products acquired, such as making reservations, modifications, cancellations and changes in the same, making reimbursements, responding to queries, complaints and claims, payment compensations and indemnifications, accounting records, correspondence, processing and verifying credit and debit cards and other payment instruments, identifying frauds and preventing asset laundering and any other illegal activities and/or for the proper implementation of loyalty programs and all other purposes indicated in this document.

All the above, without causing any prejudice to other purposes informed in this document, in accordance with the terms and conditions of each one of the products and services of each one of the business units.

We hereby advise that third party suppliers may be involved in these activities, such as suppliers of reservations systems, travel agencies, call centers, banking institutions and insurance companies.

Additionally, our travelers, clients and users, in their capacity as holders of the data collected, upon acknowledging this privacy policy, thereby authorize us to:

Use the information obtained from them for marketing their products and services and the products and services of third parties with which HOTELES ESTELAR S.A. has business relationships.Provide personal data to the control and surveillance authorities, police or legal authorities, by virtue of a legal requirement or disposition, and/or use or disclose said information and personal data to protect its rights and/or assets when said defense relates to the products and/or services contracted by its travelers, clients and users.Allow accessing the personal data and information to statutory auditors or their contracted parties to perform internal or external auditing of the commercial activity we develop.Consult and update the personal data, at any time, with the purpose of keeping said information updated.Contract through third party providers the storage and/or processing of the personal data and information for the proper execution of the contracts entered into with us, under the security and confidentiality standards by which we are compelled.CHAPTER II

AUTHORIZATION

ARTICLE 8. AUTHORIZATION. The collection, storage, use, circulation or removal of personal data by HOTELES ESTELAR S.A. requires the independent, prior, specific and informed consent of the information Holder. HOTELES ESTELAR S.A., under its condition of entity responsible for the treatment of personal data, has established all the necessary mechanisms to obtain the authorization of information holders guaranteeing, under any circumstance, the possibility of verifying the granting of said authorizations.

With the above authorization, the client accepts the policies and conditions defined in this document.

ARTICLE 9. MECHANISM AND MEANS TO GRANT THE AUTHORIZATION. The information Holder’s authorization shall include each and all mechanisms and methods of data collection used by HOTELES ESTELAR S.A.

Accordingly, it will be established in a physical, electronic or in any format type that allows its successive consultation. The authorization shall be issued by the information Holder prior to the submission of his/her personal data, pursuant to the dispositions of Act 1581 of 2012.

The authorized consent procedure serves to guarantee that the personal data Holder has been duly informed about the fact that his/her personal information will be collected and used for specific and known purposes, and also about the fact that he/she has the option of learning about any modifications made to the same and the specific use given to said data. The above with the purpose of enabling the information Holder to make informed decisions regarding his/her personal data and to control the use of said personal information.

CHAPTER III

RIGHTS AND OBLIGATIONS

ARTICLE 10. RIGHTS OF THE INFORMATION HOLDERS. Pursuant to the dispositions of Article 8 of Act 1581 of 2012, the personal data Holder has the following rights:

a)

To identify, update and correct his/her personal data provided to HOTELES ESTELAR S.A., in its capacity as the entity responsible for the treatment of the information.

b) To request proof of the authorization granted to HOTELES ESTELAR S.A., in its capacity as the entity responsible for the treatment of the information.

c) To be informed by HOTELES ESTELAR S.A., upon prior request, in regards to the use that it has given to his/her personal data.

d) To submit to the Superintendent’s Office of Industry and Commerce any complaints on violations to the dispositions of Act 1581 de 2012, once the consultation or claim resource has been exhausted before the entity Responsible for the information Treatment.

e) To revoke the authorization and/or request the withdrawal of data when the information Treatment does not comply with the principles, rights, and constitutional and legal warranties.

f) To obtain free access to his/her personal data that has been subject to Treatment.

ARTICLE 11. RESPONSIBILITIES OF HOTELES ESTELAR S.A. IN REGARDS TO THE TREATMENT OF PERSONAL DATA. HOTELES ESTELAR S.A. shall bear in mind, at all times, that the personal data are property of the people they refer to and, therefore, only said people may make decisions about their data. In this sense, HOTELES ESTELAR S.A. may only

use the data for the purposes duly authorized and in respecting at all times the dispositions of Act 1581 of 2012 on personal data protection.

Pursuant to the dispositions of Article 17 of Act 1581 of 2012, HOTELES ESTELAR S.A. undertakes to permanently fulfill the following responsibilities:

a) Guarantee to the Holder, at all times, the full and effective exercise of the habeas data right.

b) Preserve the information under the safety conditions required to prevent its modification, loss, consultation, use or unauthorized or fraudulent access.

c) Perform on a timely basis, in accordance with the dispositions established in Articles 14 and 15 of Act 1581 of 2012, the updating, verification or removal of data.

d) Process the queries and claims submitted by the information Holders within the terms described in Article 14 of Act 1581 of 2012.

e) Insert in the database the wording “information under legal discussion” once notified by the competent authority on legal processes related to the quality or details of personal data.

f) Refrain from sharing information that is under dispute by its Holder and regarding which a restriction has been ordered by the Superintendent’s Office of Industry and Commerce.

g) Allow access to the information solely to the people that may have access to the same.

h) Report to the Superintendent’s Office of Industry and Commerce when there are any violations to the safety code and there is evident risk in the management of the Holders’ information.

i) Comply with the instructions and requirements established by the Superintendent’s Office of Industry and Commerce.

CHAPTER IV

ACCESS, CONSULTATION AND CLAIMING PROCEDURES

ARTICLE 13. RIGHT TO ACCESS: The Holder’s right to dispose or decide over his/her information necessarily entails the right to access and know if his/her personal information is subject to treatment, as well as to the scope, conditions and generalities of said treatment.

Similarly, the information holder has the right to request the rectification, should there be incorrect or incomplete information, and to cancel the same whenever these are not used in accordance with the objectives and legal or contractual terms or in accordance with the dispositions and terms established in this Privacy Policy.

HOTELES ESTELAR S.A. shall guarantee the right to access the information, upon prior accreditation of the Holder’s identity or of his/her legal representative, whenever required to do so as per Act 1581 of 2012.

The clients and user may exercise their right to learn, update, correct and remove their personal data by sending an e-mail to contacto@hotelesestelar.com or via telephone at (+57-1) 5877990 ext. 7772 y ext. 7774, as specified in this Privacy Policy.

The request shall include the following details:

Name(s) and family name(s)Type of identification documentNumber of identification documentTelephoneE-mailCountrySubjectARTICLE 13. RESPONSE TO QUERIES. Under any circumstance, independently from the mechanism implemented to respond to queries, these shall be responded within a maximum term of ten (10) business days as from the day of receipt. Whenever the query may not be responded within said time, the person interested shall be informed of said delay within the ten days by explaining the reasons for the delay and indicating the date on which the query shall be properly responded, which under no circumstance shall be five (5) business days past the expiration of the initial term to respond.

ARTICLE 14. CLAIMS. Pursuant to the dispositions of Article 14 of Act 1581 of 2012, should the information Holder, or those entitled, consider that the information included in a database shall be corrected, updated or removed, or whenever they presume the violation of any of the responsibilities as defined in Act 1581 of 2012, they may submit a claim to the entity Responsible for the Treatment of the information, which claim shall be processed in compliance with the following regulations:

Claims shall be submitted by the information Holder in the appropriate forms designated for said purpose by HOTELES ESTELAR S.A. in its Hotel registry. If the claim does not have all the information required to process it appropriately, that is the Holder’s identification document, the full description of the situation that results in the claim, the address and all the supporting documents, then the petitioner shall be notified within five (5) days of the initial receipt of the claim in order to correct said faults. If aftertwo (2) months from said requirement, the petitioner has not provided the information requested, then it shall be understood that the petitioner is no longer interested in further pursuing said claim. If under any circumstance, the Company receives a claim that in fact should not be addressed to the Company, then said claim will be re-submitted to the appropriate party within a maximum term of two (2) days and it shall inform the petitioner about this situation.Once the complete claim has been received, the database held by HOTELES ESTELAR S.A. shall be added with a wording saying “claim under progress” and the reason for said claim, within a term not exceeding two (2) business days. Said wording shall remain active until a decision has been made on the claim.The maximum term for solving claims is fifteen (15) business days as from one day after their receipt date. Whenever it is not possible to respond to said claim within the term established, the petitioner shall be informed, within the initial term, about the reason for the delay and about the expected date when said claim will be responded, which under any circumstance shall not exceed eight (8) business days after the expiration of the initial fifteen (15) days term.ARTICLE 15. PROCEDURE IMPLEMENTATION TO GUARANTEE THE RIGHT TO SUBMIT CLAIMS. At any time and without any charges, the Holder or his/her representative may request to HOTELES ESTELAR S.A. the correction, updating or removal of their personal data, upon accrediting their identity.

The right to correct, update or remove data may only be exercised by:

The information Holder or those entitled, upon accrediting their identity, or through electronic means allowing their proper identification.Their legal representative, upon accrediting said representation rights.When the request has been submitted by someone different from the Holder and said representation is not properly accredited as a representative of the Holder, said request shall not be deemed as submitted.

The request, update or removal shall be submitted through the means previously established by HOTELES ESTELAR S.A. and indicated in the privacy statement, and it shall include at least the following information:

The complete name and domicile of the Holder or any other means designated to receive the response.The documents that accredit the identity or personality of its representative.The clear and exact description of the personal data with regards to which the Holder seeks to exercise any of his/her rights.If required, other elements or documents that facilitate the localization of personal data.ADDITIONAL PARAGRAPH 1. DATA UPDATING AND RECTIFICATION. HOTELES ESTELAR S.A. is required to rectify and update, upon request of the Holder, the information that is incomplete or incorrect, pursuant to the procedure and the terms indicated above. To this regard, the following aspects should be taken into consideration:

In the rectification and updating of personal data, the Holder shall indicate the corrections that need to be made and he/she shall submit any supporting documents that endorse their request.

HOTELES ESTELAR S.A. is free to activate mechanisms that facilitate the exercise of this right, provided these act in benefit of the Holder. Consequently, any electronic means or other means considered relevant may be activated.

HOTELES ESTELAR S.A. may define forms, systems and other simplified methods, which shall be published in the privacy notice and which shall be available in the website to anyone interested in using these.

HOTELES ESTELAR S.A. shall use its currently operational customer service channels to serve its clients, provided the response terms do not exceed the terms defined in Article 15 of Act 1581 of 2012.

Each time that HOTELES ESTELAR S.A. offers a new tool to facilitate the information Holders to exercise their rights or each time it modifies any existent tool, HOTELES ESTELAR S.A. shall inform of said availability through its website.

a) Considers that the data are not being treated pursuant to the principles, duties and obligations defined in Act 1581 of 2012.

b) Believes that these no longer serve the purpose or are not relevant for the purpose initially collected.

c) Believes that the term has expired for the purpose initially collected.

This removal implies the total or partial removal of the personal information, as per the request of the Holder, included in the records, files, databases or any other treatment given by HOTELES ESTELAR S.A. It is important to consider that the cancellation right is not absolute and the responsible one may deny exercising the same when:

The information removal request is not appropriate when the Holder has the legal or contractual duty to remain active in the database.The data removal acts as an obstacle to any legal or administrative actions related to fiscal duties, research duties and criminal offenses or the update of administrative sanctions.The data are considered as necessary to protect the interests legally privileged of the Holder to enact an action in serving the public interest, or to fulfill an obligation legally acquired by the Holder.Should the deletion of personal data be relevant, HOTELES ESTELAR S.A. shall operatively perform the removal of data in such a way that it does not allow recovering the same.

ARTICLE 16. REVOKING THE AUTHORIZATION. The personal data Holders may revoke, at any time, their consent to the treatment of their personal data, provided it is not prevented by any legal dispositions. For revoking the authorization, the Holder shall contact HOTELES ESTELAR S.A. via e-mail addressed to contacto@hotelesestelar.comor via telephone at (+57-1) 5877990 ext. 7772 and 7774.

One should bear in mind that there are two situations that can result in the revoking consent. The first situation refers to all the purposes agreed to, that implies that HOTELES ESTELAR S.A. shall fully stop treating the Holder’s data; the second situation refers to specific types of treatment, such as for publicity purposes or marketing studies. The second situation, that is the partial revoking of consent, remains valid for other treatment purposes that the entity responsible may develop pursuant to the authorization granted and which the Holder has agreed to.

Due to the above, it is necessary that the Holder, at the time of requesting the revoking of his/her consent to HOTELES ESTELAR S.A., indicates if this revoking is total or partial. Should it be the latter, then he/she shall indicate with which treatment he/she disagrees. There will be situations when the consent may not be revoked, given its necessary character in regards to the Holder and the entity responsible in due compliance of the agreement, given its legal dispositions. The mechanisms or procedures that HOTELES ESTELAR S.A. establishes to fulfill revoking requests may not exceed, at any time, the terms defined to respond to claims as indicated in Article 15 of Act 1581 of 2012.

CHAPTER V

INFORMATION SAFETY

ARTICLE 17. SAFETY MEASURES. In fulfilling the safety principles established in Act 1581 of 2012, HOTELES ESTELAR S.A. has adopted the technical, human and administrative measures required to offer complete safety to the records by avoiding their modification, loss, consultation, use or unauthorized or fraudulent access.

Notwithstanding the above, the client assumes any risks implied and resulting from the delivery of this information though a means like internet, which is subject to several variables, such as attacks by third parties, and technical or technological failures, among other. HOTELES ESTELAR S.A. will do its best technological effort to guarantee the safety of its clients and/or users’ personal data, by employing reasonable and current safety measures to avoid unauthorized access, to maintain the accuracy of all data and to guarantee the proper use of this information.

a) All third parties contracted by HOTELES ESTELAR S.A. shall be bound to and comply the information safety policies and manuals, in addition to being bound by the safety protocols that we apply in all our processes.

b) All agreements executed by HOTELES ESTELAR S.A. with third parties (contractors, external consultants, temporary collaborators, etc.) that involve the treatment of information and personal data, shall include a confidentiality clause detailing its commitments regarding the protection, care, safety and preservation of the confidentiality, integrity and privacy of said information and data.

c) The application environment for procedures shall include specific details on the resources being protected.

d) The measures, regulations, procedures, dispositions and standards aiming to guarantee the safety level demanded by Act 1581 of 2012.

e) The description of staff duties and obligations.

f) The structure of personal databases and description of the information systems that deal with these.

g) The procedures to notify, manage and respond in case of special incidents.

h) The procedures to make backup copies and to recover data.

i) The performance of periodical controls to verify the compliance of the dispositions of the safety procedures implemented.

j) The measures to adopt when certain support or document is to be transported, discarded or reused.

k) The procedures shall be updated at all times and these shall be reviewed whenever relevant changes are made to the information system or to its organization.

l) The procedure content shall be adapted at all times to the valid dispositions regarding the safety of personal data.

CHAPTER VI

FINAL DISPOSITIONS

ARTICLE 19. MODIFICATIONS TO PRIVACY POLICIES.HOTELES ESTELAR S.A. reserves itself the right to make modifications or to update, at any time, this Privacy Policies in order to comply with new legislations, internal policies or new requirements related to the provision or offer of its services or products.

ARTICLE 20. TERM OF VALIDITY OF INFORMATION AND PERSONAL DATA TREATMENT.The information provided by clients and users shall remain in file for a term of fifteen (15) years as from the date of their most recent treatment, thus allowing us the compliance of all legal and/or contractual obligations, particularly those related to accounting, fiscal and tax matters.

In furtherance of the provisions of Article 17 of Law 679 of 2001, ESTELAR Hotels, warns the tourist exploitation and sexual abuse of children in the country are criminal and administrative sanctions in accordance with applicable laws.